Layer7 API Management

Expand all | Collapse all

How to protect encoded XSS threats

Jump to Best Answer
  • 1.  How to protect encoded XSS threats

    Posted 05-02-2017 05:24 AM

    We need to protect our API from XSS threats. 

     

    For example:

    JSON Body:

    {    "id": 1,    "name": "<script>alert123</script>",    "price": 12.50,    "tags": ["home", "green"]}

    This can be blocked using 'Protect against code injection' assertion. 

    Options selected: 'HTML/JavaScript Injection(Cross Site Scription)'. 

     

    But how about a case where a code is injected using encoded values:

    {    "id": 1,    "name": "%3Cscript%3Ealert123%3C%5Cscript%3E",    "price": 12.50,    "tags": ["home", "green"]}

    Where decoded values are listed below:

    %3C = <

    %3E = >

    %5C = \

     

    "%3Cscript%3Ealert123%3C%5Cscript%3E = <script>alert123</script>

    Gateway is unable to identify such threats and requests are getting processed. 

     

    We do have tried by selecting an option 'XPath Injection' in 'Protect against code injection' assertion. 

     

     

    Can someone help to fix this issue?

     

    Regards

    Kareem 



  • 2.  Re: How to protect encoded XSS threats
    Best Answer

    Posted 05-02-2017 06:14 PM
      |   view attached

    Kareem,

     

    The text that is being interrupted is left URL encoded so no view as problematic. You will need to add in the Encode/Decode assertion to URL decode the payload prior to the Protect against code injection. I've attached a sample policy to help.

     

    Sincerely,

     

    Stephen Hughes

    Director, CA Support

     

    Attachment(s)

    zip
    xss_encoded.xml.zip   835B 1 version


  • 3.  Re: How to protect encoded XSS threats

    Posted 05-03-2017 02:57 AM

    Thanks Stephen for a quick response. This is working for us. 

     

    One more question, do we need to decode again before routing request to downstream services?

     

    Regards

    Kareem



  • 4.  Re: How to protect encoded XSS threats

    Posted 05-03-2017 04:20 PM

    That will depend on whether or not your downstream services can handle(or are expecting) the data being passed to the API to be left URL encoded.



  • 5.  Re: How to protect encoded XSS threats

    Posted 05-03-2017 04:24 PM

    Kareem,

     

    If you decode the value before the validation, you don't need to decode the value again as it will already be. You may want to copy the original request out to a variable and decode then validate so that the original request can be passed through unchanged if it does not fail.

     

    Sincerely,

     

    Stephen Hughes

    Director, CA Support